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The First "A” in NASA 




NABA/ 

19 15-2015 

“To serve the future needs of aviation by conducting research into, and 
developing solutions for, the problems of flight, ...” 

® Safe, Efficient Growth in Global Operations 
» Real-Time System-Wide Safety Assurance 
® Assured Autonomy for Aviation Transformation 


NextGen: Develop and demonstrate future concepts, capabilities, and 
technologies to support expected increase in capacity and mobility while 
maintaining safety. 
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This Talk 




How formal methods enable discovery in Air Traffic Management (ATM) 
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Air Traffic Management 


Three competing objectives: 
a Performance 
9 Capacity 
9 Safety 
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Air Traffic Management in the World 


$r 



The International Air Transport Association (IATA) predicts that 
passenger numbers are expected to reach 7.3 billion by 2034 (4.1% 
average annual growth). 2 


2 IATA Press Release No. 57, 16 October 2014. 
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Unmanned Aircraft Systems (UAS) 


0 


According to the Association for Unmanned Vehicle Systems International 
(AUVSI) the cumulative impact between 2015 and 2025 to the US 
economy resulting from the integration of UAS into the NAS will be more 
than US $80 billions. 3 

« Agricultural monitoring 
9 Disaster management 
9 News coverage 
9 Environmental monitoring 
9 Freight transport 

9 ... 



3 Economic report of AUVSI, March 2013. 


6/38 



0 


UAS are Here 

. . . to stay 



FAA: U.S. Airliner Nearly Collided With Drone in March 

Incident Appears to be First Case of a Big U.S. Airliner Nearly Colliding With an Airborne Drone 

By JACK NICAS 

Updated May 9. 2014 7:56 p.m. ET 



OFFBEAT 

Pilot Says Drone Flew Past Jet Nearing J.F.K. 

By PATRICK MCGEEHAN and JOSEPH GOLDSTEIN MARCH 5. 2013 12:17 PM m 61 Comments 


Quadcopter drone flew 'deliberately 
close' to UK passenger plane 

The incident occured at Southend Airport with the pilot telling air traffic control that it was a "remote control helicopter 
[with a] very small engine” 

lames Vincent @jjvincent Monday 27 October 2014 1236 GMT p-1 comments 
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UAS in the National Airspace System (NAS) 

A NASA Project 



Develop key capabilities to enable routine and safe access for public and 
civil use of UAS in non-segregated airspace operations. 
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The Main Challenge 



Michael Huerta, Administrator, Federal Aviation Administration : 4 

A bedrock principle of aviation is see and avoid. And if you don't 
have a pilot on board the aircraft, you need something that will 
substitute for that, which will sense other aircraft, and we can 
ensure appropriate levels of safety. 


4 http : / / www . pbs . org/ newshour/bb/ 
drone- industry- grows- f aster- flick- joy st ick-regulat ion- lag. 
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14CFR Part 91 




9 91.111 (a) No person may operate an aircraft so close to another 
aircraft as to create a collision hazard. 

9 91.113 (b) General. When weather conditions permit, regardless of 
whether an operation is conducted under instrument flight rules or 
visual flight rules, vigilance shall be maintained by each person 
operating an aircraft so as to see and avoid other aircraft. 

When a rule of this section gives another aircraft the right-of-way, the 
pilot shall give way to that aircraft and may not pass over, under, 
or ahead of it unless well clear. 
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Detect and Avoid 

(Formerly Known As Sense and Avoid) 




o Detect and Avoid (DAA) was defined by the FAA as the combination 
of UAS Self-Separation (SS) plus Collision Avoidance (CA) as a 
means of compliance with 14CFR Part 91, §91.111 and §91. 113. 5 
9 DAA Requirements: DAA shall 

Q provide a geometric means to determine well-clear status 
Q interoperate with existing collision avoidance systems 
Q avoid undue concern for traffic aircraft 
Q enable self-separation capabilities 


5 SAA for UAS Workshop Final Report, October 9, 2009. 
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Traffic Alert and Collision Avoidance System 
(TCAS) 




» Family of airborne systems designed to reduce the risk of mid-air 
collisions between cooperative aircraft (i.e., transponder equipped). 

® Mandated in the US for aircraft with greater than 30 seats or a 
maximum takeoff weight greater than 33,000 pounds, 
a Current version, TCAS II, provides: 

a Traffic Alerts (TAs). 
a (Vertical) Resolution Advisories (RAs). 
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TCAS II TA and RA Volumes 
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Example of ACAS Projection Volume between 5000 and 10000 feet 
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Deconstructing TCAS II RA Detection Logic (I) 


« Pairwise logic: ownship and intruder aircraft. 

® TCAS volumes are based on distance and time functions on aircraft 
relative states: 

a Range r and relative altide r z . 
a Time Tau: 

_ r 
r 

Time to co-altitude (t coa ): 


a 


Deconstructing TCAS II RA Detection Logic (II) 


Times and distance functions are compared against a set of thresholds, 
whose values depend on ownship’s altitude: 

a DMOD, ZTHR: Horizontal and vertical distance thresholds compared to 
r and r z , respectively. 

® TAUMOD: Time threshold compared to r and t coa . 


TCASII_RA = (r < DMOD or (r < TAUMOD and . . .)) and 
(r z < ZTHR or t coa < TAUMOD). 
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The Story of Tau 


0 


® Tau is an approximation of time to closest point of approach (Tcpa). 
9 Tau is not necessarily a good approximation. 

9 In a non-accelerating encounter, Tcpa decreases linearly with respect 
to time. 


Tcpa and Tau vs. Time 



16/38 


Modified Tau 



® TCAS II Version 7.1., uses Modified Tau: 

r 2 - DMOD 2 

Tnod — 

rr 

o Modified Tau is a more conservative approximation of Tcpa: 


Mod Tau, Tcpa, and Tau vs. Time 
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Time to DMOD 

(Also known as Time to Entry Point) 




Time to DMOD, i.e., t ep ,is more conservative than Modified Tau and it 
decreases linearly with time for non-accelerating encounter: 
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Towards a Geometric Definition of Well-Clear 




Global positioning systems enable precise definitions of distance and time 
functions. 

® (s 0 ,s 0Z ), (v 0 , v oz ): Ownship’s position and velocity vectors, 
o (s ;,s/ z ),(v/, Vi z ): Intruder’s position and velocity vectors. 

9 s, v: Relative horizontal position and velocity vectors, i.e., 
s = s D — s; and v = v D — v,. 

9 s z ,v z : Relative vertical altitude and speed, i.e., 
s z — s oz s /z and v z — v oz v; z . 


, . S • V 

^cpa(S, Vj — ^2 

r(s,v) = 

, , DMOD 2 - S 2 

T mod (S, V) = 

s • V 

tep(S 5 V) = 


where A(s, v) = DM0D 2 v 2 — (s • W) 2 . 


-s - v - y/Afs.w) 

v 2 
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Three Little Lemmas 



For all s, v representing non-accelerating converging encounters predicted 
to cross DMOD, i.e. , s ■ v < 0, s 2 > DMOD, and A(s, v) > 0, 

o Lemma 1: t ep (s,v) < r mod (s,v) < t cpa (s,v) < r(s,v), 


9 Lemma 2: Let t var be one of (t ep ,T mod , t cpa ,r}, 

t var (s, v) = t var (— s, -v). 


/ / 

is i 


limn 


Lemma 3: Let t var be one of {t ep ,T mod , t cpa }, for all 
0 < ti < t 2 < t cpa ( s,v), 

t var (s + tiv, v) > t var ( s + t 2 , v) 


ll'ltl 
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A Formal Definition of Well Clear 

Requirement 1: WC shall provide a geometric means to determine well-clear status 


Let t var be one of {t ep ,r mod , t cpa ,r}, two aircraft are in 
violation if and only if WCV tvar (s, v) holds. 

WCV tvar (s,s z ,v, v z ) = Horizontal_WCV tvar (s, 
Vertical_WCV(s z , v z ), 


where 

Horizontal_WCV tvar (s, v) = ||s| < DMOD or 

(r/ cpa (s,v) < DMOD and 0 < 
c/ cpa (s, v) = ||s + t cpa (s,v)v||, 
Vertical_WCV(s z , v z ) = |s z | < ZTHR or 0 < t coa (s z , 

tco,(s z ,v z )= - 


-well-clear 
') and 

^ ( 1 ) 
tvar(s,v) < TAUMOD), 

v z ) < TCOA, 


21/38 


A Family of Well-Clear Volumes 
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Well-Clear Properties: Inclusion 

Requirement 2: WC shall interoperate with existing collision avoidance systems 





For an appropriate choice of threshold values, i.e., DMOD, ZTHR, TAUMOD, 
and TCOA, the violation volumes determined by WCV Tmod (s, s z , v, v z ) and 
WCV tep (s, s z , v, v z ) are larger than the TCAS II RA volume. 
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Well-Clear Properties: Symmetry 

Requirement 3: WC shall avoid undue concern for traffic aircraft 





In any encounter, the intruder aircraft makes the same determination as 
the ownship about the well-clear status. 
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Well-Clear Properties: Local Convexity 

Requirement 4: WC shall enable self-separation capabilities 



Theorem 3 (Local Convexity) 


Let t var be one of{t ep ,r mod , t cpa ], for all (s ,s z ), (v, v z ), ti < t 2 < t 3 , 

VCV tvar (s + tiv, s z + ti v z , v, v z ) and WCV tvar (s + t 3 v, s z + t 3 v Zl v , v z ) 
{/CTf trar ( s + f 2V, s z + t 2 '/ z ,v, v z ). 




riii uiiiiil 

^ 5 ? 


In a non-accelerating encounter, there is at most one time interval where 
the aircraft are in well-clear violation. 
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Well-Clear Algorithms: Detection 



The following algorithm returns the time interval of t var -well-clear violation 
within a lookahead time T. 
detection_WCV tvar (s, s z , v, v z , T) = 

let [ti, ^ 2 ] = detection_VWCV(s z , v z , T) in 
if ti > t 2 then [T, 0] 

elsif t\ = t 2 and Horizontal_WCV tvar (s T h v,v) then [ti, ti] 
elsif ti = t 2 then [T, 0] 

else let [t in , f out ] = detection_HWCV tvar (s + tiv, v, t 2 — if) in 

[fin + fl) fout + fi] 

endif , 

where 

detection_VWCV(s z , v z , T) = ... 
detection_HWCV tvar (s + fiv, v, t 2 — ti) = ... 
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detection.WCVf 

*-var 
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Well-Clear Algorithms: Self-Separation Bands 

Bands are ranges of track, ground speed, and vertical speed that lead to 
well-clear. 



* 


Region in space where well-clear 
violation predicted, based on range 
of maneuvers 

Maneuver ending at lookahead 
time 

a Ownship performance limitation, 
right 

/j Ownship performance limitation, 
p left 

y Range of manuevers predicted to 
‘ lead to well-clear violation (conflict 
bands) 


Ownship 
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DAIDALUS: Detect and Avoid Alerting Logic for 
Unmanned Systems 6 




DAIDALUS 


» Open source implementation in Java and C++ of formally verified 
DAA algorithms. 

® Considered for inclusion as DAA reference implementation in RTCA 
Minimum Operational Performance Standards (MOPS) for Unmanned 
Aircraft Systems. 


6 Logo was designed by Mahyar Malekpour (NASA). 
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DAIDALUS in Theory 


@r 


® Family of well-clear volumes defined in the Program Verification 
System (PVS). 

o Formally proved in PVS that WC volumes satisfy high-level 
requirements: inclusion, symmetry, local convexity. 

9 Formally specified WC algorithms: detection, self-separation bands, 
and alerting. 

9 Formally verified correctness of the algorithms against functional 
requirements. 


PVS Library 

^Theories 

#Proofs 

#Lines of Spec. 

ACCoRD 

77 

1,211 

8,601 

TCASII 

9 

142 

784 

WellClear 

19 

236 

1,244 

DAIDALUS 

21 

385 

3,509 

Total 

126 

1,974 

14,138 
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DAIDALUS in PVS 
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DAIDALUS in Practice 


o Code released under NASA 
Open Source Agreement: 
o Java: 34,371 (loc). 
o C++: 40,445 (loc). 

o DAIDALUS is currently 
being used in 
human-in-the-loop 
experiments independently 
conducted at NASA and 
FA A. 
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DAIDALUS Verification and Validation 

(On going work) 




Formal Model 
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Formal Methods in Air Traffic Management 

Technical Challenges 



o Most modern verification systems have limited support for continuous 
mathematics. 

9 Algorithms are long, statements are longer, and proofs are even 
longer. 

9 Developed PVS decision and semi-decision procedures based on 
interval arithmetic, affine arithmetic, Bernstein polynomials, Sturm 
and Tarski theorems. More are needed. 

9 The elephant in the room: floating point numbers. 
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Formal Proofs in the Real Field 


@r 


[-1] eps = 1 OR eps = -1 
[-2] v‘y*eps <= 0 
[-3] rd‘y*eps < 0 

[-4] ((v'x = 0 AND v‘y = 0) IMPLIES rd‘x >= 0) 

[-5] ((v‘x /= 0 OR v‘y /= 0) IMPLIES rd‘x > v‘x) 

[-6] rd‘x*v‘y*eps-rd‘y*v‘x*eps <= 0 
[-7] mps‘y*eps+rd‘y*eps < 0 
[-8] v‘x >= 0 

[-9] (dv‘x /= 0 OR dv‘y /= 0) 

[-10] mps ‘x*rd‘ y*eps-mps ‘y*rd‘x*eps <= 0 

[-11] -l*(dv‘x*mps‘y*eps)-dv < x*rd‘y*eps+ dv‘y*mps‘x*eps+dv f y*rd‘x*eps < 0 
[-12] ((rd‘x*mps‘x+rd‘x*rd‘x+rd‘y*mps‘y+rd‘y*rd‘y < 0 AND 

dv‘x*rd‘y*eps-dv‘y*rd f x*eps < 0) OR (rd‘x*mps < x+rd‘x*rd‘x+ 
rd‘y*mps ‘y+rd‘y*rd‘y >= 0 AND dv‘x*mps ‘x+dv‘x*rd < x+dv‘y*mps ‘y+ 
dv‘y*rd‘y > rd‘x*mps‘x+rd‘x*rd‘x+rd‘y*mps‘y+rd‘y*rd‘y 
AND dv ‘ x*rd ‘ y*eps-dv ‘ y*rd ‘ x*eps <= 0)) 


[1] (dv‘x /= 0 OR dv‘y /= 0) AND dv'y^eps < 0 AND ((v'x = 0 AND v‘y = 0) 
IMPLIES dv‘x >= 0) AND ((v‘x /= 0 OR v‘y /= 0) IMPLIES dv‘x > v‘x) 
AND dv‘x*v f y*eps-dv‘y*v f x*eps <= 0 
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Formal Methods in Air Traffic Management 

Practical Challenges 



ATM is a non-traditional formal methods domain: 
a ATMer: Formal what? - FMist: Air Traffic what? 
a ATM is more than software and avionics systems, 
a ATM is a real globally distributed system, 
a Revolutionary approaches vs. Evolutionary approaches, 
a Theoretical solutions vs. Practical solutions. 
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To Bring Home 



As for the future, your task is not to foresee it, but to enable it. 


Antoine de Saint-Exupery (1900-1944) 

Formal methods are enabling the worldwide evolution of the Next 
Generation of Air Traffic Systems. 
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